a security reference architecture for cloud systems
play

A SECURITY REFERENCE ARCHITECTURE FOR CLOUD SYSTEMS Eduardo B. - PowerPoint PPT Presentation

Aug 10, 2023 •304 likes •1.08k views

A SECURITY REFERENCE ARCHITECTURE FOR CLOUD SYSTEMS Eduardo B. Fernandez Dept. of Computer Science and Engineering Florida Atlantic University Boca Raton, FL, USA http://www.cse.fau.edu/~ed ed@cse.fau.edu Secure Systems Research Group - FAU

  1. A SECURITY REFERENCE ARCHITECTURE FOR CLOUD SYSTEMS Eduardo B. Fernandez Dept. of Computer Science and Engineering Florida Atlantic University Boca Raton, FL, USA http://www.cse.fau.edu/~ed ed@cse.fau.edu Secure Systems Research Group - FAU

  2. Ab o t me t me • Professor of Computer Science at Florida Atlantic University, Boca Raton, FL., USA • At IBM for 8 years (L.A. Scientific Center). • Wrote the first book on database security (Addison-Wesley, 1981). • Author of many research papers • Consultant to IBM, Siemens, Lucent, … • Ing Elect. UTFSM, MS EE Purdue U, PhD CS UCLA • Now a visiting professor in Chile (UTFSM) Secure Systems Research Group - FAU

  3. Secure Systems Research Group - FAU

  4. Secure Systems Research Group - FAU

  5. Objecti ctiv et et • Get a panorama of security patterns and their use • Consider a systematic approach to build secure systems based on patterns and UML • Building Security Reference Architectures for Clouds using patterns Secure Systems Research Group - FAU

  6. The value of information • Individuals and enterprises rely on information for credit, health, professional work, business, education, … • Illegal access (reading or modification) to information can produce serious problems • Because of its value, information is a growing target of attacks Secure Systems Research Group - FAU

  7. Security objectives • Confidentiality--no leakage of sensitive or private information • Integrity-- no unauthorized modification or destruction of information • Availability (No denial of service) -- annoying , costly • Accountability (Non-repudiation)-- legally significant Secure Systems Research Group - FAU

  8. Countermeasures • Identification and Authentication– we must know who are you • Access control/ authorization --provide confidentiality and integrity • Information hiding (cryptography, steganography)– making information unintelligible • Auditing-- basis for prosecution or improvements to the system • Intrusion detection—attack alerting Secure Systems Research Group - FAU

  9. Current situation • The Internet is an insecure place and attacks keep occurring • One of the main reasons is the poor quality of the software used in systems and application software • Software engineering neglected security for a long time, emphasis on development speed, no features that can be sold, … Secure Systems Research Group - FAU

  10. Remedies • Help designers build secure code using a systematic approach, even if they do not know much about security • Provide units of security (packed solutions to specific problems) with catalogs and tools • Build security together with the functional part of the application • Use a model-based approach Secure Systems Research Group - FAU

  11. Approaches to security Model checking Verification Theoretical and Analysis of composability Security of systems UML/OCL Certification models Model-driven Security Security patterns Vulnerability analysis Code-based Code Security examination Best practices Certification 8/9/13 11 Secure Systems Research Group - FAU

  12. Need for a conceptual approach I • Security should be applied where the application semantics is understood • Security is an all-levels problem • We should start from high-level policies that can be mapped to the lower levels • We need precise models to guide system development • Consider a layered architecture 8/9/13 12 Secure Systems Research Group - FAU

  13. Need for conceptual structure II • A unified system is easier to understand: better design, better administration • Easier to analyze effect of new hardware or software • Start from policies and models • Apply security throughout the lifecycle 8/9/13 13 Secure Systems Research Group - FAU

  14. Patterns • A pattern is a solution to a recurrent problem in a specific context • Idea comes from architecture of buildings (C. Alexander) • Applied initially to software and then extended to other domains • Appeared in 1994 and are slowly being accepted by industry Secure Systems Research Group - FAU

  15. Value • Reusable solutions, but maybe not directly, usually require tailoring • Encapsulate experience and knowledge of designers (best practices) • Free of errors after a while • Need to be catalogued to be useful • Used as guidelines for design • Good to evaluate systems and standards • Useful for teaching Secure Systems Research Group - FAU

  16. Value of security patterns • Can describe security principles (Single Point of Access) or security mechanisms (Firewalls) • Can guide the design and implementation of the security mechanism itself • Can guide the use of security mechanisms in an application (stop specific threats) • Can help understanding and use of complex standards (XACML, WiMax) • Good for teaching security principles and mechanisms Secure Systems Research Group - FAU

  17. POSA template • Intent (thumbnail) • Example • Context • Problem and forces • Solution: in words, UML models (static and dynamic) • Implementation • Example resolved • Known uses • Consequences • See also (related patterns) Secure Systems Research Group - FAU

  18. Structure of the solution ExternalHost LocalHost requestService requestService 1 1 * * PFFirewall address address 1 RuleBase addRule deleteRule modifyRule reorderRules {ordered} * Rule in/out ExplicitRule DefaultRule Secure Systems Research Group - FAU

  19. Filtering a client ’ s request «actor» :Firewall :RuleBase :Rule :LocalHost :ExtHost requestService( ) requestService( ) checkRule accept accept requestService( ) Secure Systems Research Group - FAU

  20. Using the patterns • Catalogs of patterns are not enough, designers must be given guidance in their use • There are many patterns (growing in number) and the task of selecting them gets harder • A first approach is to classify the patterns according to some criteria Secure Systems Research Group - FAU

  21. We can use patterns at all levels • Patterns for models define the highest level • At each lower level we refine the patterns at the previous level to consider the specific aspects of each level • We ’ ll analyze some patterns from each layer Secure Systems Research Group - FAU

  22. Applic. Layer: Access control models • Authorization. How do we describe who is authorized to access specific resources in a system? A list of authorization rules describes who has access to what and how. • Role-Based Access Control (RBAC). How do we assign rights to people based on their functions or tasks? Assign people to roles and give rights to these roles so they can perform their tasks. • Multilevel Security. How to decide access in an environment with security classifications. Secure Systems Research Group - FAU

  23. Role-Based Access Control • Users are assigned roles according to their functions and given the needed rights (access types for specific objects) • When users are assigned by administrators, this is a mandatory model • Can implement least privilege and separation of duty policies Secure Systems Research Group - FAU

  24. Basic RBAC pattern User * MemberOf * Role * Authorization_rule * ProtectionObject id id id name name name Right access_type predicate copy_flag checkRights Secure Systems Research Group - FAU

  25. Basic condition Authorization Content-based s = Role CopyFlag Authorization s or o = attribute values Delegatable Basic Authorization RBAC authorizer ABAC Explicitly Granted session Authorization session Session-based session session Session-based Access Session RBAC ABAC Secure Systems Research Group - FAU

  26. Web services security • Application Firewall [Del04]. The application firewall filters calls and responses to/from enterprise applications, based on an institution access control policies. • XML Firewall [Del04]. Filter XML messages to/from enterprise applications, based on business access control policies and the content of the message. • XACML Authorization [Del05]. Enable an organization to represent authorization rules in a standard manner. • XACML Access Control Evaluation [Del05]. This pattern decides if a request is authorized to access a resource according to policies defined by the XACML Authorization pattern. . • WSPL [Del05]. Enable an organization to represent access control policies for its web services in a standard manner. It also enables a web services consumer to express its requirements in a standard manner. Secure Systems Research Group - FAU

  27. Standards for web services security Business WS-Federation BPEL4WS Workflow WS-SecureC onversation WS-Authorization WSCI WSPL WS-Trust WS-Policy WSDL C atalog and Web Services Description WS-Privacy UD DI security UDDI WS1 WS2 ebXML sec ebXML Registry C omm unicatio ns SAM L X ML SAML . . . Encr yption H EADE R P AYLOAD XML Encryption - X ACML XML Signature XML SOA P XKMS D ocument Storage SOAP XML WS-Security Transports . . . D BMS HTTP SSL OS TCP/IP processes memory file system Web services lay ers Standards Supporting structures Security Standards/ Specificatio ns Secure Systems Research Group - FAU

  28. XML firewall • Controls input/output of XML applications • Well-formed documents (schema as reference) • Harmful data (wrong type or length) • Encryption/decryption • Signed documents 8/9/13 28 Secure Systems Research Group - FAU

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reference Architecture for SOA OASIS Service Oriented Architecture Reference Model TC 1

Reference Architecture for SOA OASIS Service Oriented Architecture Reference Model TC 1

Reference Architecture for SOA OASIS Service Oriented Architecture Reference Model TC 1 Systems and eco- systems Multiple ownership domains No one entity controls everything Parallel development, deployment and usage of services A medium

564 views • 43 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Towards a Reference Architecture for Service- Oriented Cross Domain Security Infrastructures Wen

Towards a Reference Architecture for Service- Oriented Cross Domain Security Infrastructures Wen

Towards a Reference Architecture for Service- Oriented Cross Domain Security Infrastructures Wen Zhu Dr. Lowell Vizenor Dr. Avinash Srinivasan 7 th International Conference on Internet and Distributed Computing Systems Agenda Background

128 views • 12 slides
Systems, Security, and the Cloud (IoTSSC) Paul Patras Image: sns-it.ca Course Objectives

Systems, Security, and the Cloud (IoTSSC) Paul Patras Image: sns-it.ca Course Objectives

Internet of Things Systems, Security, and the Cloud (IoTSSC) Paul Patras Image: sns-it.ca Course Objectives Give you technical grounding in key aspects of Internet of Things (IoT), including IoT systems architecture, hardware

816 views • 50 slides
Towards a Reference Architecture for Advanced Planning Systems Melina Vidoni and Aldo Vecchietti

Towards a Reference Architecture for Advanced Planning Systems Melina Vidoni and Aldo Vecchietti

Towards a Reference Architecture for Advanced Planning Systems Melina Vidoni and Aldo Vecchietti Institute of Design and Development, INGAR CONICET-UTN Santa Fe, Argentina. 2016. Towards a Reference Architecture for Advanced Planning Systems |

183 views • 15 slides
Reference Architecture A Reference Architecture for Web Servers by Hassan, Holt SWAG

Reference Architecture A Reference Architecture for Web Servers by Hassan, Holt SWAG

Reference Architecture A Reference Architecture for Web Servers by Hassan, Holt SWAG UoW Reference Architecture Definition A reference architecture for a domain defines the fundamental components of the domain and the

461 views • 24 slides
Secure Networks Starting with Basic Reference Model for Security Architecture A Historic Review

Secure Networks Starting with Basic Reference Model for Security Architecture A Historic Review

Secure Networks Starting with Basic Reference Model for Security Architecture A Historic Review of a Nascent Industry Seattle University CSSE 572 Spring 2008 Mohsen Banan Guest Speaker May 15, 2008 Less Talked About Security

215 views • 19 slides
Cryptography Seny Kamara Cryptography Group Microsoft Research Outline Cloud Architecture

Cryptography Seny Kamara Cryptography Group Microsoft Research Outline Cloud Architecture

Cloud Cryptography Seny Kamara Cryptography Group Microsoft Research Outline Cloud Architecture What is cloud computing? o Cloud Ecosystem Who provides and who consumes cloud services? o Cloud Cryptography What are the security

637 views • 34 slides
The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
Exploring Architecture Options for a Federated, Cloud-based Systems Biology Knowledgebase Ian

Exploring Architecture Options for a Federated, Cloud-based Systems Biology Knowledgebase Ian

Exploring Architecture Options for a Federated, Cloud-based Systems Biology Knowledgebase Ian Gorton, Jenny Liu, Jian Yin 1 Systems Biology Systems Biology Integrated study of organisms as a whole Obtain, integrate, and analyze complex data

208 views • 16 slides
Security Monitoring and Enforcement for the Cloud Model Aryan TaheriMonfared

Security Monitoring and Enforcement for the Cloud Model Aryan TaheriMonfared

Infrastructure Architecture for a Cloud IaaS Provider Software Defined Networking and Network Virtualization Network Monitoring Security Enforcement Inter-Domain Routing for Virtualized Networks Security Monitoring and Enforcement for the

795 views • 42 slides
Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the Cloud? How the Cloud is delivered: Iaas, PaaS and SaaS Cloud security challenges and risk Current Cloud security report Cloud security technology

302 views • 27 slides
Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined) Administrative discussions Stephen McCamant University of Minnesota Multi-Cloud Oblivious Storage Old and new topics in security Cloud threats, old and new

645 views • 8 slides
1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.

403 views • 5 slides
Cloud Computing for on-Demand Resource Provisioning Distributed Systems Architecture Research

Cloud Computing for on-Demand Resource Provisioning Distributed Systems Architecture Research

7th NRENs and Grids Workshop Trinity College, Dublin, September 2, 2008 Cloud Computing for on-Demand Resource Provisioning Distributed Systems Architecture Research Group Universidad Complutense de Madrid 1/23 Objectives Show the benefits

354 views • 23 slides
Reference Architecture for the Operationalization of a BCMS Boban Kr i , Chief Information

Reference Architecture for the Operationalization of a BCMS Boban Kr i , Chief Information

Reference Architecture for the Operationalization of a BCMS Boban Kr i , Chief Information Security Officer verinice.XP - Berlin, 07. February 2017 DENIC Mission Founded in 1996 as a cooperative in Frankfurt / Main. Act as a

426 views • 31 slides
Approaching Security from an "Architecture First" Perspective Rick Kazman, University

Approaching Security from an "Architecture First" Perspective Rick Kazman, University

Approaching Security from an "Architecture First" Perspective Rick Kazman, University of Hawaii Jungwoo Ryoo, Penn State University Humberto Cervantes, Universidad Autonoma Metropolitana-Itztapalapa An Architectural Approach

435 views • 24 slides
Next Generation Ethernet Alan McGuire, New Wave Networks, OneIT, BT Enterprises

Next Generation Ethernet Alan McGuire, New Wave Networks, OneIT, BT Enterprises

Next Generation Ethernet Alan McGuire, New Wave Networks, OneIT, BT Enterprises Enterprises look to scale a single community of interest They are their own customer Which may range in size from a small number of desktops to an

129 views • 10 slides
Retailer To Consumer Legislation And The Pros and Cons of Reciprocity Tom Wark, Executive

Retailer To Consumer Legislation And The Pros and Cons of Reciprocity Tom Wark, Executive

Retailer To Consumer Legislation And The Pros and Cons of Reciprocity Tom Wark, Executive Director NAWR Wine Retailer Summit 2018 Permit Laws VS. Reciprocity Laws PERMIT LAWS : Any retailer in any state may apply for a states Shipping

731 views • 14 slides
Workshop Y Highly Competitive Transportation & Logistics Industry Major Income &

Workshop Y Highly Competitive Transportation & Logistics Industry Major Income &

28th Annual Tuesday & Wednesday, January 2930, 2019 Hya Regency Columbus, Columbus, Ohio Workshop Y Highly Competitive Transportation & Logistics Industry Major Income & Sales Tax Issues Tuesday, January 29, 2019 4:15

426 views • 31 slides
Next Generation Security Adaptive | Intelligent | Resilient Scott Montgomery VP, Chief Technical

Next Generation Security Adaptive | Intelligent | Resilient Scott Montgomery VP, Chief Technical

NIST Cyber Security Framework & Healthcare IT Security Clarksville, MD | 22 April 2016 | Annual Spring Conference Next Generation Security Adaptive | Intelligent | Resilient Scott Montgomery VP, Chief Technical Strategist

523 views • 24 slides
Secure Relocation: Understanding Data Security Dave Siegel Siegel

Secure Relocation: Understanding Data Security Dave Siegel Siegel

Secure Relocation: Understanding Data Security Dave Siegel Siegel Data Management (SDM) resources bring nearly 100 man-years of global business experience

519 views • 15 slides
Security and Resilience Juan Torres, SNL April 21, 2016 Overview The "Security and

Security and Resilience Juan Torres, SNL April 21, 2016 Overview The "Security and

Security and Resilience Juan Torres, SNL April 21, 2016 Overview The "Security and Resilience" focus area has five main activities, based on the NIST cybersecurity framework, but expanded to all- hazards. Improve the Ability to

647 views • 6 slides
BitSight Security Ratings www.bitsighttech.com Trends 2 www.bitsighttech.com Increasing

BitSight Security Ratings www.bitsighttech.com Trends 2 www.bitsighttech.com Increasing

BitSight Security Ratings www.bitsighttech.com Trends 2 www.bitsighttech.com Increasing governance and assurance required Subsidiary Third Party Risk Risk Management Management Fourth Party Risk Benchmarking Management Cyber

407 views • 29 slides

More recommend